A testament to our commitment to providing exceptional service, Codero was recently honored with the prestigious 2016 Best Uptime Guarantee industry award from HostingAdvice. Reliability is a mission-critical feature in hosting, and for providers that means uptime. Coupled with our tireless efforts ... Read more

Is your host lazy? Here’s your 5 signs. Bandwidth and disk space are only a couple of critical decisions to be made when deciding on the ideal hosting partner. Simply put, hosting has many moving parts, and they all need to work ... Read more

There are many discussions in recent events regarding the threat of vulnerable IoT devices. Part of the scare here is the ability of nefarious actors to unleash these devices in controlled botnets in strategic Denial of Service attacks. This is a very ... Read more

Hybrid cloud adoption is up from 58% to 71% year-over-year, according to the RightScale 2016 State of the Cloud Report. There’s ample evidence that hybrid cloud will be the platform of choice for enterprises in the near future because of the wide ... Read more

The Secrets Behind Secure Passwords

At some point in our lives, we’ve all gone through some online account creation process and created a password. Frequently, we’re required to choose a password that includes something like at least one capital letter, one number, et cetera. The stricter the criteria, the more layers of security we think we’ve added to our passwords.

However, that’s not actually the case.

The math behind password security

To understand why, let’s do some math. (It will be really simple, I promise.) One method of attempting to defeat a password is to simply try all possible character combinations. This tactic is referred to as a “brute force” attack. It goes without saying that a password with fewer possible combinations is easier to brute force than a password with more possibilities. In cryptography, this is referred to as the ‘keyspace’. Statistically, if an attacker is brute forcing a password, they must try fifty percent of the keyspace before they have a better than fifty percent chance of gaining access.

Now, suppose I’m getting an account for a site that only requires two-character passwords. Since there are a total of 95 printable ASCII characters, that means we have a total of 95 x 95 possible combinations. Out of those 9,025 combinations, suppose an attacker could try five passwords per second. To try half the possible combinations would take about 900 seconds.

But what if the site decides to enforce a policy that one character in the password must be a number? This requirement reduces the possible number of passwords to only 950 (95 x 10). The same attacker would be able to try half the possible passwords in only 95 seconds.

Of course, no site would allow two-character passwords (I hope). The math however, is similar with longer passwords.

Other password pitfalls

That’s also not to say that a password should be something as simple as ‘walrus’ – walrus is a common word found in the dictionary and is subject to a “dictionary attack”. A dictionary attack is an attempt to gain access to a system by trying common words and passwords (such as ‘letmein’, ‘password123’, et cetera).

Beyond these common pitfalls, there are other ways that a password can be less secure – or easy to guess. Things like a spouse’s name, your date of birth, mailing address, et al. are examples of what not to use in a password.

The building blocks of a good password

Longer passwords are better, and contrary to the common misconception, they don’t have to be difficult to remember. A simple phrase can be easier to remember, but long enough to be difficult to brute force. Something like ‘ILikeDrinkingWhiskey,ButNotMoreThan5Shots.’ mixes upper and lower case, special characters (comma, ampersand, et cetera), and numbers but, due to one particularly eventful evening, is very easy for me to remember (although that’s not my actual password).

It’s also a good practice to reset your passwords frequently. For example, when getting started with a new server, we recommend immediately resetting your password and following these guidelines:

Use at least 8 characters.

Use a combination of upper-case letters, lower-case letters, and numbers.

Avoid words or names, especially your name or the name of your business.

Avoid a password that shares the same characters as the previous password. For example, changing “Ccodero1” to “codero2” is not a safe practice.

The moral of the story is that a password should use as many different characters from as many different character groups as possible.

No password will make any system perfectly secure, but by using the tips above, you can make it as hard on the attackers as you can. After all, passwords are one of your lines of defense keeping your dedicated server environment secure.